Bug 304461

Summary: SELinux is preventing /usr/local/lib/firefox/firefox-bin from loading /usr/local/lib/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so which requires text relocation.
Product: [Fedora] Fedora Reporter: jd1008
Component: firefoxAssignee: Christopher Aillon <caillon>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: gecko-bugs-nobody, mcepl, samuel.sidler
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: firefox3INSUFFICIENT_DATAmassClosing
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-09 14:05:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jd1008 2007-09-25 05:55:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

Description of problem:
SELinux is preventing /usr/local/lib/firefox/firefox-bin from loading /usr/local/lib/firefox/extensions/talkback/components/libqfaservices.so which requires text relocation.


Version-Release number of selected component (if applicable):
Mozilla Firefox 2.0.0.7, Copyright (c) 1998 - 2007 mozilla.org

How reproducible:
Always


Steps to Reproduce:
1.Install firefox 2.0.0.7 in /usr/local/lib
2.Enable SELinux. Reboot
3.Run firefox

Actual Results:
Firefox runs. I do not know of any problems with firefox as a result of
the problems reported by SELinux access monitor.

Expected Results:
SELinux should not have reported this problem.

Additional info:
Firefox is sucking most of the cpu.
Output from top shows:
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
 3447 root      20   0  240m 111m  25m R 95.8  5.5  18:57.53 firefox-bin
Comment 1 Samuel Sidler (Mozilla Corporation) 2007-11-14 22:49:18 UTC 
This is being tracked in Mozilla's Bugzilla as bug 403775.

This has also been seen in Fedora 8.
Comment 2 Chris A Abney 2007-12-29 02:35:33 UTC 
I am seeing a similar issue in Fedora 8 with Firefox 2.0.0.10 when I add extensions.

Summary
    SELinux is preventing /usr/lib/firefox-2.0.0.10/firefox-bin from loading
    /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
    6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so which requires
    text relocation.

Detailed Description
    The /usr/lib/firefox-2.0.0.10/firefox-bin application attempted to load
    /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
    6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so which requires
    text relocation.  This is a potential security problem. Most libraries do
    not need this permission. Libraries are sometimes coded incorrectly and
    request this permission.  The http://people.redhat.com/drepper/selinux-
    mem.html web page explains how to remove this requirement.  You can
    configure SELinux temporarily to allow
    /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
    6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so to use relocation
    as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions
    /{10228D1E-6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so to run
    correctly, you can change the file context to textrel_shlib_t. "chcon -t
    textrel_shlib_t
    /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
    6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so" You must also
    change the default file context files on the system in order to preserve
    them even on a full relabel.  "semanage fcontext -a -t textrel_shlib_t
    /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
    6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t
/home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so

Additional Information        

Source Context                unconfined_u:system_r:unconfined_t:s0
Target Context                unconfined_u:object_r:unconfined_home_t:s0
Target Objects                /home/Greyheart527/.mozilla/firefox/txzw0q1s.defau
                              lt/extensions/{10228D1E-6D25-4ccc-903E-
                              272D66EEC763}/components/liblocalsearch.so [ file
                              ]
Affected RPM Packages         firefox-2.0.0.10-3.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-2952.fc8xen #1
                              SMP Mon Nov 19 07:06:55 EST 2007 i686 i686
Alert Count                   1
First Seen                    Fri 28 Dec 2007 08:49:41 PM EST
Last Seen                     Fri 28 Dec 2007 08:49:41 PM EST
Local ID                      80e90a5b-c5ba-4be1-a888-9f249fee1869
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm=firefox-bin dev=dm-0 egid=500 euid=500
exe=/usr/lib/firefox-2.0.0.10/firefox-bin exit=-13 fsgid=500 fsuid=500 gid=500
items=0 name=liblocalsearch.so
path=/home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-
6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so pid=3629
scontext=unconfined_u:system_r:unconfined_t:s0 sgid=500
subj=unconfined_u:system_r:unconfined_t:s0 suid=500 tclass=file
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tty=(none) uid=500
Comment 3 Matěj Cepl 2008-02-21 22:35:08 UTC 
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 4 Matěj Cepl 2008-02-21 22:36:31 UTC 
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 5 Matěj Cepl 2008-04-09 14:05:23 UTC 
Since there are insufficient details provided in this report for us to
investigate the issue further, and we have not received feedback to the
information we have requested above, we will assume the problem was not
reproducible, or has been fixed in one of the updates we have released for the
reporter's distribution.

Users who have experienced this problem are encouraged to upgrade to the latest
update of their distribution, and if this issue turns out to still be
reproducible in the latest update, please reopen this bug with additional
information.

Closing as INSUFFICIENT_DATA.

[This is a mass-closing request, if you think that this bug shouldn't be closed,
please, reopen with additional information.]